[英]Istio + Kubernetes: Gateway more than one TLS Certificate
I have a Kubernetes cluster with multiple tenants (in different namespaces).我有一个 Kubernetes 集群有多个租户(在不同的命名空间中)。 I'd like to deploy an independent Istio Gateway object into each tenant, which I seem to be able to do.
我想在每个租户中部署一个独立的 Istio Gateway 对象,我似乎可以做到。 However, setting up TLS requires a K8s secret that contains the TLS key/cert.
但是,设置 TLS 需要包含 TLS 密钥/证书的 K8s 机密。 The docs indicate that the "secret must be named istio-ingressgateway-certs in the istio-system namespace".
文档指出“秘密必须在 istio-system 命名空间中命名为 istio-ingressgateway-certs”。 This would seem to indicate that I can only have one TLS secret per cluster.
这似乎表明每个集群只能有一个 TLS 机密。 Maybe I'm not reading this correctly.
也许我没有正确阅读这个。 Is there a way to configure independent Istio Gateways in their own namespaces, with their own TLS secrets?
有没有办法在他们自己的命名空间中配置独立的 Istio 网关,使用他们自己的 TLS 秘密? How might I go about doing that?
我该怎么做呢?
Here is the doc that I'm referencing.这是我引用的文档。
https://istio.io/docs/tasks/traffic-management/ingress/secure-ingress-mount/ https://istio.io/docs/tasks/traffic-management/ingress/secure-ingress-mount/
Any thoughts are much appreciated.任何想法都非常感谢。
As provided on istio documentation it's possible.正如istio 文档中提供的那样,这是可能的。
In this section you will configure an ingress gateway for multiple hosts, httpbin.example.com and bookinfo.com.
在本节中,您将为多个主机(httpbin.example.com 和 bookinfo.com)配置一个入口网关。
So You need to create private keys, in this example, for bookinfo and httbin , and update istio-ingressgateway.因此,在本例中,您需要为bookinfo和httbin创建私钥,并更新 istio-ingressgateway。
I created them both and they exist.我创造了它们并且它们存在。
bookinfo certs and gateway bookinfo 证书和网关
kubectl exec -it -n istio-system $(kubectl -n istio-system get pods -l istio=ingressgateway -o jsonpath='{.items[0].metadata.name}') -- ls -al /etc/istio/ingressgateway-bookinfo-certs
lrwxrwxrwx 1 root root 14 Jan 3 10:12 tls.crt -> ..data/tls.crt
lrwxrwxrwx 1 root root 14 Jan 3 10:12 tls.key -> ..data/tls.key
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:
- port:
number: 443
name: https-bookinfo
protocol: HTTPS
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-bookinfo-certs/tls.crt
privateKey: /etc/istio/ingressgateway-bookinfo-certs/tls.key
hosts:
- "bookinfo.com"
httpbin certs and gateway httpbin 证书和网关
kubectl exec -it -n istio-system $(kubectl -n istio-system get pods -l istio=ingressgateway -o jsonpath='{.items[0].metadata.name}') -- ls -al /etc/istio/ingressgateway-certs
lrwxrwxrwx 1 root root 14 Jan 3 10:07 tls.crt -> ..data/tls.crt
lrwxrwxrwx 1 root root 14 Jan 3 10:07 tls.key -> ..data/tls.key
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: httpbin-gateway
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
hosts:
- "httpbin.example.com"
Haven't made a full reproduction to check if they both works but if that won't work for You i will try to make it and update the question.尚未进行完整复制以检查它们是否都有效,但如果这对您不起作用,我将尝试制作并更新问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.